gpg: Signature made Wed Jan 30 18:15:43 2013 UTC
gpg: using RSA key BEB441496300CC3D
gpg: Can't check signature: No public key
On Wed, Jan 30, 2013 at 05:52:38PM +0000, Andy Smith wrote:
> Hi Michael,
>
> On Wed, Jan 30, 2013 at 05:42:57PM +0000, Michael Stevens wrote:
> > So I've decideed to join the cool kids and try PHP - in particular, I've
> > installed roundcube.
>
> Well, PHP was cool 5 years ago, now it's all ruby, node.js and
> clojure. :)
>
> > Is there any good info out there on securing php? I'd quite like to not
> > get hacked, which seems to be a common problem with PHP web apps.
>
> If "don't run PHP" doesn't work for you then my best advice is:
Eh. As much as I like to hate on php, any poorly written web application
is just as vulnerable. mod_php's default model just tends to be
inherently insecure, and silly application devs often solve permissions
issues with 777 "because it's just easier" (or maybe they're just
ignorant of how to *properly* secure a directory which needs to be
writable by the application)
That being said, "don't run PHP" :)
> - Keep it up to date
And the moment you stop using it, get rid of it. If you're not using it
daily, remove it. So many times at dreamhost customers were compromised
because of an application they'd installed and forgotten about which was
vulnerable. Keep an inventory of your applications, keep them up to
date. Purge early and purge often.
> - Expect to be compromised, so try to secure your PHP execution
> environment from the rest of your server.
>
> e.g. do assume that at some point an attacker will get to execute
> commands as the user that is running your PHP app so try to reduce
> what the app can do.
I can't agree with this statement any harder than I am right now. This
statement is basically web application security from an ops perspective
in a nutshell.
-Jeremy
